Description

`oak` is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. By default `oak` does not allow transferring of hidden files with `Context.send` API. However, prior to version 17.1.3, this can be bypassed by encoding `/` as its URL encoded form `%2F`. For an attacker this has potential to read sensitive user data or to gain access to server secrets. Version 17.1.3 fixes the issue.

INFO

Published Date :

2024-11-01T16:16:29.482Z

Last Modified :

2024-11-01T17:35:10.386Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-49770 vulnerability.

Vendors Products
Oakserver
  • Oak
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-49770.

URL Resource
https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L117-L125 cve-icon cve-icon
https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L182C10-L182C25 cve-icon cve-icon
https://github.com/oakserver/oak/commit/4b2f27efd5cba5a45b2c3982e610da3af0869209 cve-icon cve-icon
https://github.com/oakserver/oak/security/advisories/GHSA-qm92-93fv-vh7m cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability